Ch13 Protecting Networks with Security Devices

61
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network Defense Defense Chapter 13 Chapter 13 Protecting Networks with Security Devices Protecting Networks with Security Devices Last modified 6-4- 09

description

Protecting Networks with Security Devices

Transcript of Ch13 Protecting Networks with Security Devices

Page 1: Ch13 Protecting Networks with Security Devices

Hands-On Ethical Hacking Hands-On Ethical Hacking and Network Defenseand Network Defense

Chapter 13Chapter 13Protecting Networks with Security DevicesProtecting Networks with Security Devices

Last modified 6-4-09

Page 2: Ch13 Protecting Networks with Security Devices

ObjectivesObjectives

Describe network security devicesDescribe network security devices

Describe firewall technologyDescribe firewall technology

Describe intrusion detection systemsDescribe intrusion detection systems

Describe honeypotsDescribe honeypots

Page 3: Ch13 Protecting Networks with Security Devices

RoutersRoutersRouters are like intersections; switches are like Routers are like intersections; switches are like streets streets – Image from Wikipedia (link Ch 13a)Image from Wikipedia (link Ch 13a)

Router

Page 4: Ch13 Protecting Networks with Security Devices

Understanding RoutersUnderstanding Routers

Routers are hardware devices used on a Routers are hardware devices used on a network to send packets to different network to send packets to different network segmentsnetwork segments– Operate at the network layer of the OSI modelOperate at the network layer of the OSI model

Page 5: Ch13 Protecting Networks with Security Devices

Routing ProtocolsRouting Protocols

Routers tell one another what paths are Routers tell one another what paths are available with Routing Protocolsavailable with Routing Protocols– Link-state routing protocolLink-state routing protocol

Each router has complete information about every Each router has complete information about every network linknetwork link

Example: Open Shortest Path First (OSPF)Example: Open Shortest Path First (OSPF)

– Distance-vector routing protocolDistance-vector routing protocolRouters only know which direction to send Routers only know which direction to send packets, and how farpackets, and how far

Example: Routing Information Protocol (RIP)Example: Routing Information Protocol (RIP)

Page 6: Ch13 Protecting Networks with Security Devices

Cisco RoutersCisco Routers

Image from cisco.com (link Ch 13b)Image from cisco.com (link Ch 13b)

Page 7: Ch13 Protecting Networks with Security Devices

Understanding Basic Hardware Understanding Basic Hardware RoutersRouters

Cisco routers are widely used in the Cisco routers are widely used in the networking communitynetworking community– More than one million Cisco 2500 series More than one million Cisco 2500 series

routers are currently being used by companies routers are currently being used by companies around the worldaround the world

Vulnerabilities exist in Cisco as they do in Vulnerabilities exist in Cisco as they do in any operating systemany operating system– See link Ch 13cSee link Ch 13c

Page 8: Ch13 Protecting Networks with Security Devices

Cisco Router ComponentsCisco Router Components

Internetwork Operating System (IOS)Internetwork Operating System (IOS)

Random access memory (RAM)Random access memory (RAM)– Holds the router’s running configuration, Holds the router’s running configuration,

routing tables, and buffersrouting tables, and buffers– If you turn off the router, the contents stored in If you turn off the router, the contents stored in

RAM are wiped outRAM are wiped out

Nonvolatile RAM (NVRAM)Nonvolatile RAM (NVRAM)– Holds the router’s configuration file, but the Holds the router’s configuration file, but the

information is not lost if the router is turned offinformation is not lost if the router is turned off

Page 9: Ch13 Protecting Networks with Security Devices

Cisco Router ComponentsCisco Router Components

Flash memoryFlash memory– Holds the IOS the router is usingHolds the IOS the router is using– Is rewritable memory, so you can upgrade the Is rewritable memory, so you can upgrade the

IOSIOS

Read-only memory (ROM)Read-only memory (ROM)– Contains a minimal version of the IOS used to Contains a minimal version of the IOS used to

boot the router if flash memory gets corruptedboot the router if flash memory gets corrupted

Page 10: Ch13 Protecting Networks with Security Devices

Cisco Router ComponentsCisco Router Components

InterfacesInterfaces– Hardware connectivity pointsHardware connectivity points– Example: an Ethernet port is an interface that Example: an Ethernet port is an interface that

connects to a LANconnects to a LAN

Page 11: Ch13 Protecting Networks with Security Devices

Michael LynnMichael Lynn

He presented a major He presented a major Cisco security Cisco security vulnerability at the vulnerability at the Black Hat security Black Hat security conference in 2005conference in 2005He lost his job, was He lost his job, was sued, conference sued, conference materials were materials were confiscated, etc.confiscated, etc.– See links Ch 13 d, e, f, gSee links Ch 13 d, e, f, g

Page 12: Ch13 Protecting Networks with Security Devices

Cisco IOS is Cisco IOS is controlled from the controlled from the command linecommand line

The details are not The details are not included in this included in this classclass

Skip pages 324-Skip pages 324-329329

Page 13: Ch13 Protecting Networks with Security Devices

Understanding FirewallsUnderstanding Firewalls

Firewalls are hardware devices or software Firewalls are hardware devices or software installed on a system and have two installed on a system and have two purposespurposes– Controlling access to all traffic that enters an Controlling access to all traffic that enters an

internal networkinternal network– Controlling all traffic that leaves an internal Controlling all traffic that leaves an internal

networknetwork

Page 14: Ch13 Protecting Networks with Security Devices

Hardware FirewallsHardware Firewalls

Advantage of hardware firewallsAdvantage of hardware firewalls– Faster than software firewalls (more throughput)Faster than software firewalls (more throughput)

Disadvantages of hardware firewallsDisadvantages of hardware firewalls– You are limited by the firewall’s hardwareYou are limited by the firewall’s hardware

Number of interfaces, etc.Number of interfaces, etc.

– Usually filter incoming traffic only (link Ch 13i)Usually filter incoming traffic only (link Ch 13i)

Page 15: Ch13 Protecting Networks with Security Devices

Software FirewallsSoftware Firewalls

Advantages of software Advantages of software firewallsfirewalls– Customizable: can Customizable: can

interact with the user to interact with the user to provide more protectionprovide more protection

– You can easily add NICs You can easily add NICs to the server running the to the server running the firewall softwarefirewall software

Page 16: Ch13 Protecting Networks with Security Devices

Software FirewallsSoftware Firewalls

Disadvantages of software firewallsDisadvantages of software firewalls– You might have to worry about You might have to worry about

configuration problemsconfiguration problems– They rely on the OS on which they are They rely on the OS on which they are

runningrunning

Page 17: Ch13 Protecting Networks with Security Devices

Firewall TechnologiesFirewall Technologies

Network address translation (NAT)Network address translation (NAT)

Access control lists (Packet filtering)Access control lists (Packet filtering)

Stateful packet inspection (SPI)Stateful packet inspection (SPI)

Page 18: Ch13 Protecting Networks with Security Devices

Network Address Translation Network Address Translation (NAT)(NAT)

Internal private IP addresses are mapped Internal private IP addresses are mapped to public external IP addressesto public external IP addresses– Hides the internal infrastructureHides the internal infrastructure

Port Address Translation (PAT)Port Address Translation (PAT)– This allows thousands of internal IP This allows thousands of internal IP

addresses to be mapped to one external IP addresses to be mapped to one external IP addressaddress

– Each connection from the private network is Each connection from the private network is mapped to a different public portmapped to a different public port

Page 19: Ch13 Protecting Networks with Security Devices

192.168.1.101:1100 192.168.1.102:1100

192.168.1.102:1103

147.144.20.1:1201

147.144.20.1:1202

147.144.20.1:1203

Router providing NAT and PAT

Public Addresses

Private Addresses

Page 20: Ch13 Protecting Networks with Security Devices

Access Control ListsAccess Control Lists

A series of rules to A series of rules to control trafficcontrol traffic

CriteriaCriteria– Source IP addressSource IP address– Destination IP addressDestination IP address– Ports or servicesPorts or services– More possibilitiesMore possibilities

Same as “Packet Same as “Packet Filtering” Filtering”

Page 21: Ch13 Protecting Networks with Security Devices

Stateful Packet Inspection (SPI)Stateful Packet Inspection (SPI)

Stateful packet filters examine the current Stateful packet filters examine the current state of the networkstate of the network– If you have sent a request to a server, If you have sent a request to a server,

packets from that server may be allowed inpackets from that server may be allowed in– Packets from the same server might be Packets from the same server might be

blocked if no request was sent firstblocked if no request was sent first

Page 22: Ch13 Protecting Networks with Security Devices

State TableState Table

Stateful firewalls maintain aStateful firewalls maintain a state table state table showing the current connectionsshowing the current connections

Page 23: Ch13 Protecting Networks with Security Devices

ACK Port scanACK Port scan

Used to get information about a firewallUsed to get information about a firewall

Stateful firewalls track connection and Stateful firewalls track connection and block unsolicited ACK packetsblock unsolicited ACK packets

Stateless firewalls only block incoming Stateless firewalls only block incoming SYN packets, so you get a RST responseSYN packets, so you get a RST response

We covered this in chapter 5We covered this in chapter 5

Page 24: Ch13 Protecting Networks with Security Devices

Stateful Packet Inspection (SPI)Stateful Packet Inspection (SPI)

Stateful packet filters recognize types of Stateful packet filters recognize types of anomalies that most routers ignoreanomalies that most routers ignore

Stateless packet filters handle each packet Stateless packet filters handle each packet on an individual basison an individual basis– This makes them less effective against some This makes them less effective against some

attacksattacks

Page 25: Ch13 Protecting Networks with Security Devices

Implementing a FirewallImplementing a Firewall

Using only one firewall between a Using only one firewall between a company’s internal network and the company’s internal network and the Internet is dangerousInternet is dangerous– It leaves the company open to attack if a It leaves the company open to attack if a

hacker compromises the firewallhacker compromises the firewall

Use a demilitarized zone insteadUse a demilitarized zone instead

Page 26: Ch13 Protecting Networks with Security Devices

Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)

DMZ is a small network containing DMZ is a small network containing resources available to Internet usersresources available to Internet users– Helps maintain security on the company’s Helps maintain security on the company’s

internal networkinternal network

Sits between the Internet and the internal Sits between the Internet and the internal networknetwork

It is sometimes referred to as a “perimeter It is sometimes referred to as a “perimeter network”network”

Page 27: Ch13 Protecting Networks with Security Devices
Page 28: Ch13 Protecting Networks with Security Devices
Page 29: Ch13 Protecting Networks with Security Devices

Understanding the Private Understanding the Private Internet Exchange (PIX) FirewallInternet Exchange (PIX) Firewall

Cisco PIX firewallCisco PIX firewall– One of the most popular firewalls on the One of the most popular firewalls on the

marketmarket

Page 30: Ch13 Protecting Networks with Security Devices

Configuration of the PIX FirewallConfiguration of the PIX Firewall

Working with a PIX firewall is similar to Working with a PIX firewall is similar to working with any other Cisco routerworking with any other Cisco router

Login promptLogin promptIf you are not authorized to be in this XYZ If you are not authorized to be in this XYZ Hawaii network device,Hawaii network device,

log out immediately!log out immediately!

User Access VerificationUser Access Verification

Password:Password:

– This banner serves a legal purposeThis banner serves a legal purpose– A banner that says “welcome” may prevent A banner that says “welcome” may prevent

prosecution of hackers who enterprosecution of hackers who enter

Page 31: Ch13 Protecting Networks with Security Devices

PIX Firewall FeaturesPIX Firewall Features

One PIX can be used to create a DMZOne PIX can be used to create a DMZ– See link Ch 13kSee link Ch 13k

Page 32: Ch13 Protecting Networks with Security Devices

PIX Firewall FeaturesPIX Firewall Features

Unicast Reverse Path ForwardingUnicast Reverse Path Forwarding– Also known as "reverse route lookup"Also known as "reverse route lookup"– Checks to see that packets have correct Checks to see that packets have correct

source IP addressessource IP addresses

Flood DefenderFlood Defender– Prevents SYN FloodsPrevents SYN Floods– Only a limited number of "embryonic Only a limited number of "embryonic

connections" are allowedconnections" are allowed

Page 33: Ch13 Protecting Networks with Security Devices

PIX Firewall FeaturesPIX Firewall Features

FragGuard and Virtual Re-AssemblyFragGuard and Virtual Re-Assembly– Re-assembles IP fragments to prevent some Re-assembles IP fragments to prevent some

DoS attacks, like the Ping of Death and DoS attacks, like the Ping of Death and TeardropTeardrop

LimitsLimits– DNS ResponsesDNS Responses– ActiveX controlsActiveX controls– Java appletsJava applets

I skipped pages 333-336I skipped pages 333-336

Page 34: Ch13 Protecting Networks with Security Devices

Microsoft ISAMicrosoft ISAInternet Security and Acceleration (ISA)Internet Security and Acceleration (ISA)

Microsoft’s software approach to firewallsMicrosoft’s software approach to firewalls

Microsoft Internet Security and Microsoft Internet Security and Acceleration (ISA) ServerAcceleration (ISA) Server– Software that runs on a Windows ServerSoftware that runs on a Windows Server– Functions as a software router, firewall, and Functions as a software router, firewall, and

IDS (Intrusion Detection System)IDS (Intrusion Detection System)

Page 35: Ch13 Protecting Networks with Security Devices

Microsoft ISAMicrosoft ISAISA protects your network from Internet ISA protects your network from Internet threatsthreats

Page 36: Ch13 Protecting Networks with Security Devices

Microsoft ISAMicrosoft ISAISA lets remote users connect securely, ISA lets remote users connect securely, handling authentication and encryptionhandling authentication and encryption

Image from microsoft.com, link Ch 13mImage from microsoft.com, link Ch 13m

Page 37: Ch13 Protecting Networks with Security Devices

Microsoft ISAMicrosoft ISA

ISA has the same functionality as any ISA has the same functionality as any hardware routerhardware router– Packet filtering to control incoming trafficPacket filtering to control incoming traffic– Application filtering through the examination Application filtering through the examination

of protocolsof protocols– Intrusion detection filtersIntrusion detection filters– Access policies to control outgoing trafficAccess policies to control outgoing traffic

Page 38: Ch13 Protecting Networks with Security Devices

IP Packet FiltersIP Packet Filters

ISA enables administrators to filter IP ISA enables administrators to filter IP traffic based on the following:traffic based on the following:– Source and destination IP addressSource and destination IP address– Network protocol, such as HTTPNetwork protocol, such as HTTP– Source port or destination portSource port or destination port

ISA provides a GUI for these ISA provides a GUI for these configurationsconfigurations– A network segment can be denied or allowed A network segment can be denied or allowed

HTTP access in the Remote Computer tabHTTP access in the Remote Computer tab

Page 39: Ch13 Protecting Networks with Security Devices
Page 40: Ch13 Protecting Networks with Security Devices
Page 41: Ch13 Protecting Networks with Security Devices

Application FiltersApplication Filters

Can accept or deny data from specific Can accept or deny data from specific applications or data containing specific applications or data containing specific contentcontent

SMTP filter can restrictSMTP filter can restrict– E-mail with specific attachmentsE-mail with specific attachments– E-mail from a specific user or domainE-mail from a specific user or domain– E-mail containing specific keywordsE-mail containing specific keywords– SMTP commandsSMTP commands

Page 42: Ch13 Protecting Networks with Security Devices
Page 43: Ch13 Protecting Networks with Security Devices
Page 44: Ch13 Protecting Networks with Security Devices

Application FiltersApplication Filters

Email can also be filtered based oEmail can also be filtered based o– Sender's nameSender's name– Sender's domainSender's domain– Keywords like VIAGRA or MortgageKeywords like VIAGRA or Mortgage

These techniques are not very effective—These techniques are not very effective—spammers know how to defeat themspammers know how to defeat them

Page 45: Ch13 Protecting Networks with Security Devices

Application FiltersApplication Filters

SMTP Commands SMTP Commands tabtab– Administrator can Administrator can

prevent a user prevent a user from running from running SMTP commandsSMTP commands

Page 46: Ch13 Protecting Networks with Security Devices

Application FiltersApplication Filters

FTP Access filterFTP Access filter

H.323 filterH.323 filter– real-time multimedia conferencesreal-time multimedia conferences

See link Ch 13nSee link Ch 13n

Page 47: Ch13 Protecting Networks with Security Devices

Intrusion Detection FiltersIntrusion Detection Filters

Analyze all traffic for possible known Analyze all traffic for possible known intrusionsintrusions– DNS intrusion detection filterDNS intrusion detection filter– POP filter POP filter – RPC filterRPC filter– SMTP filterSMTP filter– SOCKS filterSOCKS filter– Streaming Media filterStreaming Media filter– Web Proxy filterWeb Proxy filter

Page 48: Ch13 Protecting Networks with Security Devices
Page 49: Ch13 Protecting Networks with Security Devices
Page 50: Ch13 Protecting Networks with Security Devices

Intrusion Detection Systems Intrusion Detection Systems (IDSs)(IDSs)

Monitor network devices so that security Monitor network devices so that security administrators can identify attacks in progress administrators can identify attacks in progress and stop themand stop them

An IDS looks at the traffic and compares it with An IDS looks at the traffic and compares it with known exploitsknown exploits– Similar to virus software using a signature file to Similar to virus software using a signature file to

identify virusesidentify viruses

TypesTypes– Network-based IDSsNetwork-based IDSs

– Host-based IDSsHost-based IDSs

Page 51: Ch13 Protecting Networks with Security Devices

Network-Based and Host-Based Network-Based and Host-Based IDSsIDSs

Network-based IDSsNetwork-based IDSs– Monitor activity on network segmentsMonitor activity on network segments– They sniff traffic and alert a security They sniff traffic and alert a security

administrator when something suspicious administrator when something suspicious occursoccurs

See link Ch 13oSee link Ch 13o

Page 52: Ch13 Protecting Networks with Security Devices

Network-Based and Host-Based Network-Based and Host-Based IDSsIDSs

Host-based IDSsHost-based IDSs– The software is installed on the server you’re The software is installed on the server you’re

attempting to protect, like antivirus softwareattempting to protect, like antivirus software– Used to protect a critical network server or Used to protect a critical network server or

database serverdatabase server

Page 53: Ch13 Protecting Networks with Security Devices

Passive and Active IDSsPassive and Active IDSs

IDSs are categorized by how they react IDSs are categorized by how they react when they detect suspicious behaviorwhen they detect suspicious behavior– Passive systemsPassive systems

Send out an alert and log the activitySend out an alert and log the activity

Don't try to stop itDon't try to stop it

– Active systemsActive systemsLog events and send out alertsLog events and send out alerts

Can also interoperate with routers and firewalls to Can also interoperate with routers and firewalls to block the activity automaticallyblock the activity automatically

Page 54: Ch13 Protecting Networks with Security Devices
Page 55: Ch13 Protecting Networks with Security Devices

Understanding HoneypotsUnderstanding Honeypots

HoneypotHoneypot– Computer placed on the perimeter of a networkComputer placed on the perimeter of a network– Contains information intended to lure and then Contains information intended to lure and then

trap hackerstrap hackers

Computer is configured to have Computer is configured to have vulnerabilitiesvulnerabilities

GoalGoal– Keep hackers connected long enough so they Keep hackers connected long enough so they

can be traced backcan be traced back

Page 56: Ch13 Protecting Networks with Security Devices

How They WorkHow They Work

A honeypot appears to have important data A honeypot appears to have important data or sensitive information stored on itor sensitive information stored on it– Could store fake financial data that tempts Could store fake financial data that tempts

hackers to attempt browsing through the datahackers to attempt browsing through the data

Hackers will spend time attacking the Hackers will spend time attacking the honeypothoneypot– And stop looking for real vulnerabilities in the And stop looking for real vulnerabilities in the

company’s networkcompany’s network

Honeypots also enable security professionals Honeypots also enable security professionals to collect data on attackersto collect data on attackers

Page 57: Ch13 Protecting Networks with Security Devices

Commercial HoneypotsCommercial Honeypots

Page 58: Ch13 Protecting Networks with Security Devices

Open-Source HoneypotsOpen-Source Honeypots

Page 59: Ch13 Protecting Networks with Security Devices

How They Work (continued)How They Work (continued)

Virtual honeypotsVirtual honeypots– Honeypots created using software solutions Honeypots created using software solutions

instead of hardware devicesinstead of hardware devices– Example: HoneydExample: Honeyd

Page 60: Ch13 Protecting Networks with Security Devices

Project Honey PotProject Honey Pot

Web masters install Web masters install software on their software on their websiteswebsitesWhen spammers When spammers harvest email addresses harvest email addresses from sites, HoneyNet's from sites, HoneyNet's servers record the IP of servers record the IP of the harvesterthe harvester– Can help prosecute the Can help prosecute the

spammers and block the spammers and block the spamspam

Link Ch 13pLink Ch 13p

Page 61: Ch13 Protecting Networks with Security Devices

Uses a Capture Server and one or more Uses a Capture Server and one or more Capture ClientsCapture Clients– The clients run in virtual machinesThe clients run in virtual machines– Clients connect to suspect Web serversClients connect to suspect Web servers– If the client detects an infection, it alerts the If the client detects an infection, it alerts the

Capture Server and restores itself to a clean Capture Server and restores itself to a clean statestate

– The server gathers data about malicious The server gathers data about malicious websiteswebsites

See link Ch 13qSee link Ch 13q